Re: Trigger a DOM event/error when a CSP violation happens. from John J Barton on 2012-10-26 (public-webappsec@w3.org from October 2012)

From: John J Barton <johnjbarton@johnjbarton.com>
Date: Fri, 26 Oct 2012 16:12:37 -0700
To: Dan Veditz <dveditz@mozilla.com>
Cc: Adam Barth <w3c@adambarth.com>, "Eduardo' Vela" <evn@google.com>, public-webappsec@w3.org
Message-ID: <CAFAtnWwzDREZ2HfTLdCh_psr9J4XC4QMOLrR+Yt524UL7=H9Kg@mail.gmail.com>

On Fri, Oct 26, 2012 at 3:53 PM, Dan Veditz <dveditz@mozilla.com> wrote:
...
> Such APIs would be out of scope for this WG so I'd just like to state the
> privacy principal that user-agent supplied policies do not report violations
> to the originating server or page content.

Similarly, extension supplied policies should not report. Otherwise
web pages can probe the users installed extensions.

jjb

> I'm not against firing events at
> the page for violations of the page's own policy.
>
> -Dan Veditz
>

Received on Friday, 26 October 2012 23:13:03 UTC